Closed
Bug 1209001
Opened 9 years ago
Closed 9 years ago
Crash [@ js::ModuleObject::create] with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla44
People
(Reporter: decoder, Assigned: jonco)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,ignore])
Crash Data
Attachments
(1 file)
1.66 KB,
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 6256ec9113c1 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2): function oomTest(f) { var i = 1; do { try { oomAtAllocation(i); f(); } catch (e) { more = resetOOMFailure(); } i++; } while(more); } function foo() { function testImportEntries(source, expected) { var module = parseModule(source); } testImportEntries('import v from "mod";', [{}]); } oomTest(foo); Backtrace: Program received signal SIGSEGV, Segmentation fault. js::ModuleObject::create (cx=0x7ffff6907000) at js/src/jsobj.h:122 #0 js::ModuleObject::create (cx=0x7ffff6907000) at js/src/jsobj.h:122 #1 0x000000000062aa03 in BytecodeCompiler::compileModule (this=this@entry=0x7fffffffa7d0) at js/src/frontend/BytecodeCompiler.cpp:642 #2 0x000000000062b06d in js::frontend::CompileModule (cx=cx@entry=0x7ffff6907000, obj=..., obj@entry=..., optionsInput=..., srcBuf=...) at js/src/frontend/BytecodeCompiler.cpp:843 #3 0x00000000004867ca in ParseModule (cx=0x7ffff6907000, argc=<optimized out>, vp=0x7ffff47fc270) at js/src/shell/js.cpp:3100 #4 0x0000000000705f32 in js::CallJSNative (cx=0x7ffff6907000, native=0x4865a0 <ParseModule(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #5 0x00000000006fb163 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:768 #6 0x00000000006ece29 in Interpret (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:3072 #7 0x00000000006fa95b in js::RunScript (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:709 #8 0x00000000006fb23f in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:786 #9 0x00000000006fbdad in js::Invoke (cx=cx@entry=0x7ffff6907000, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x7fffffffc818, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:823 #10 0x00000000008cad6a in js::jit::DoCallFallback (cx=0x7ffff6907000, frame=0x7fffffffc858, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffc808, res=...) at js/src/jit/BaselineIC.cpp:8904 #11 0x00007ffff7feef9f in ?? () #12 0x00007fffffffc810 in ?? () #13 0x00007fffffffc7c0 in ?? () #14 0xfff9000000000000 in ?? () #15 0x0000000001b5ad60 in js::jit::DoSpreadCallFallbackInfo () #16 0x00007ffff7e56b80 in ?? () #17 0x00007ffff7ff2383 in ?? () #18 0x0000000000000802 in ?? () #19 0x00007fffffffc858 in ?? () #20 0x00007ffff69cb620 in ?? () #21 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x3ffffa3f65a8 70368647669160 rcx 0x0 0 rdx 0x0 0 rsi 0x0 0 rdi 0x0 0 rbp 0x7fffffffa320 140737488331552 rsp 0x7fffffffa2c0 140737488331456 r8 0x0 0 r9 0x3000 12288 r10 0x1b 27 r11 0x2 2 r12 0x7ffff6907000 140737330049024 r13 0x7fffffffa2d0 140737488331472 r14 0x1b52978 28649848 r15 0x7fffffffa7d0 140737488332752 rip 0x5b094c <js::ModuleObject::create(js::ExclusiveContext*)+444> => 0x5b094c <js::ModuleObject::create(js::ExclusiveContext*)+444>: mov (%rdi),%rax 0x5b094f <js::ModuleObject::create(js::ExclusiveContext*)+447>: mov (%rax),%rax
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150921063041" and the hash "a2bbfcdd5bf0403f00c02d1800efc74d920e7ec9". The "bad" changeset has the timestamp "20150921063236" and the hash "ab53cb21bbbea9b7b1824633f4b34c42866e0985". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=a2bbfcdd5bf0403f00c02d1800efc74d920e7ec9&tochange=ab53cb21bbbea9b7b1824633f4b34c42866e0985
Assignee | ||
Comment 2•9 years ago
|
||
Assignee: nobody → jcoppeard
Attachment #8666764 -
Flags: review?(terrence)
Updated•9 years ago
|
Attachment #8666764 -
Flags: review?(terrence) → review+
Backed out for Windows SM failures: https://treeherder.mozilla.org/logviewer.html#?job_id=14879279&repo=mozilla-inbound https://hg.mozilla.org/integration/mozilla-inbound/rev/84a0c01dcfda
Flags: needinfo?(jcoppeard)
Also broke a Windows jit test: https://treeherder.mozilla.org/logviewer.html#?job_id=14897744&repo=mozilla-inbound
Assignee | ||
Comment 6•9 years ago
|
||
Looking green when testing with the other patches I pushed today: https://treeherder.mozilla.org/#/jobs?repo=try&revision=4b9cd2e10c67
Assignee | ||
Updated•9 years ago
|
Flags: needinfo?(jcoppeard)
Still failing a few pushes up from when this landed: https://treeherder.mozilla.org/logviewer.html#?job_id=14973445&repo=mozilla-inbound Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/a58fa4dc5bbc
Flags: needinfo?(jcoppeard)
Assignee | ||
Comment 9•9 years ago
|
||
The testcase sometimes fails on try, but I can't reproduce it locally. It's not related to the content of the patch however, so I'm going to land the fix now and the testcase later when I can track down what's going on.
Flags: needinfo?(jcoppeard)
Keywords: leave-open
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Comment 12•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 5f16c6c2b969).
Comment 15•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/f79b353b2608
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox44:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in
before you can comment on or make changes to this bug.
Description
•